SQL injection in 1.5 - fixed in 1.6?


#1

Hello,

we just had an SQL-injection in the 1.5 version of Piwik using the following url:

http://oursite/piwik/index.php?module=API&method=Referers.getKeywords&idSite=1'&period=month&date=yesterday&format=Html&token_auth=piwik&PIWIK_SESSID=gie40nf5pl5osigj8g3nfqvmt3

(SQL-calls obmitted)

At least some of our database-tables were read. As said, we were using 1.5. but without anonymous view rights (which I know had some issues fixed in 1.6.) With Piwik 1.6, this exact injection is no longer possible, but was it really fixed or did the syntax simply change?

Thanks,
Sebastian


(vipsoft) #2

For obvious reasons, the developers aren’t going to answer publicly in the forum.

Send your message (and include the SQL used in the URL) to security (at) piwik.org.